- From: Richard Schwerdtfeger <richschwer@gmail.com>
- Date: Wed, 22 Jun 2016 12:58:01 -0500
- To: Mike Cooper <cooper@w3.org>
- Cc: ARIA <public-aria@w3.org>
- Message-Id: <F7203DE5-66DA-4351-AF22-C1D6847BFAB0@gmail.com>
Well, Michael, as it turns out input type=“password” is not secure either. I will be filing an APA issue. The first bullet is a new one I had not seen. However, the same bots can search for the label “password” on input fields and do the same thing. There is nothing new here. Rich > On Jun 22, 2016, at 12:20 PM, Michael Cooper <cooper@w3.org> wrote: > > In my previous message <https://lists.w3.org/Archives/Public/public-aria/2016Jun/0177.html> I tried to separate out the risks people were concerned about with the password role, that I think are not caused by the role itself. Here I want to identify the risks that *are* created by the role, so we can weigh those since they're the ones I argue are the only ones we should be considering for the role. So far, two concerns specific to the role stick out in my memory: > > The presence of the role makes it easier for bots to discover custom password fields and exploit such unsecured fields. > The availability of the role may encourage authors to use custom password fields with the risks those bring. > Are there others I missed? That are caused by the password role itself, not by custom password fields in general. > > Michael
Received on Wednesday, 22 June 2016 17:58:30 UTC